Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-15-2008, 09:35 AM   #1
LQ Newbie
Registered: Sep 2007
Posts: 6

Rep: Reputation: 0
Transparent Squid + WCCP + Cisco

Hi everybody!!!

I stuck in a situation that need to implement Squid cache in transparent mode with WCCP enabled on Cisco Router as Below :

Cache Server :
Router with NAT configured :
LAN Clients :

here is my squid config in squid.conf:

http_port transparent
http_port transparent

hierarchy_stoplist cgi-bin ?
hierarchy_stoplist scripts
hierarchy_stoplist php
hierarchy_stoplist asp
hierarchy_stoplist jsp
acl QUERY urlpath_regex cgi-bin \? asp php jsp scripts
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 512 MB

maximum_object_size 100 MB

cache_dir ufs /var/cache/squid 20000 34 256

access_log /var/log/squid/access.log squid

refresh_pattern -i \.(htm|html|phtml|shtml)$ 43200 90% 129600
refresh_pattern -i \.(bmp|gif|jpeg|jpg)$ 43200 90% 129600
refresh_pattern -i \.(mov|wav|mp3|avi|ram)$ 43200 90% 129600
refresh_pattern -i \.(ps|midi|au|ra|rm)$ 43200 90% 129600
refresh_pattern -i \.(tar|zip|gz|js)$ 43200 90% 129600
refresh_pattern -i \.(doc|pdf|txt)$ 43200 90% 129600

acl all src
acl class1 src
acl class2 src
acl class3 src
acl class4 src
acl class5 src
acl PURGE method purge
acl manager proto cache_object
acl localhost src
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535 280 488 591 777
acl public_snmp snmp_community public
acl worm1 urlpath_regex -i /readme.eml /sample.exe /whatever.exe /153.lzh /JDBGMGR.EXE
acl worm2 url_regex -i
acl CodeRed urlpath_regex \/default\.ida\?
acl msie6 browser MSIE[[:space:]]6
acl msn-hotmail dstdomain

header_access Accept-Encoding deny msie6 msn-hotmail
http_access deny worm1
http_access deny worm2
http_access deny CodeRed
http_access allow manager localhost
http_access allow purge localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow SSL_ports
http_access allow localhost
http_access allow class1
http_access allow class2
http_access allow class3
http_access allow class4
http_access allow class5
http_access deny purge
http_access deny all

http_reply_access allow all
icp_access allow all

snmp_access allow public_snmp localhost
snmp_access deny all

visible_hostname Metro-Cache

cache_effective_user squid
cache_effective_group squid

buffered_logs on

coredump_dir /var/cache


debug_options ALL,1 80,5
IPTABLES Configurations :

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i wccp0 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i wccp0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

**by the way ,I configured with redirect too!!!


and Cisco 2600 Config :

Current configuration : 1929 bytes
! Last configuration change at 16:55:38 irst Sat Nov 15 2008 by admin
! NVRAM config last updated at 16:55:54 irst Sat Nov 15 2008 by admin
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname behTest
aaa new-model
aaa authentication login default local
aaa authentication login test group radius enable
enable secret 5 $1$xsdfgdsgf2Ow$3ikxxQ8/zgfgfghRornYTtXfO2V0
enable password 7 130019022B5sdsdfwettwet951
username admin password 7 030752180sdfwsgaewtgerynl5;;0'0
clock timezone irst 3 30
ip subnet-zero
ip wccp web-cache
ip flow-cache timeout active 1
interface Ethernet0/0
ip address
ip helper-address
ip nat inside
ip route-cache flow
traffic-shape group 101 16000 1000 1000 1000
interface Serial0/0
no ip address
no fair-queue
interface Ethernet0/1
ip address
ip nat outside
ip route-cache flow
ip wccp web-cache redirect out
interface Ethernet1/0
ip address
ip nat inside source list 20 interface Ethernet0/1 overload
ip nat inside source static
ip nat inside source static
ip flow-export source Ethernet0/0
ip flow-export version 5
ip flow-export destination 9996
ip classless
ip route
ip http server
ip pim bidir-enable
logging trap debugging
logging source-interface Ethernet0/0
access-list 20 permit
access-list 20 permit
access-list 101 permit ip host any
line con 0
line aux 0
line vty 0 4
logging synchronous
ntp clock-period 17180003
ntp server

**also configured in both version of wccp.

Also as there is in iptables ,I 've created gre tunnel (wccp0), and add gre as blow :

ip tunnel add wccp0 mode gre remote local dev eth0
ip addr add dev wccp0
ip link set wccp0 up


also load ip_gre module


everything is looking good but ,,,there is nothing in tail -f access.log ,also when I use ifconfig , there is no traffic on gre !!!

by the way when I use tcpdump i can see this error evry 2-3 second :
802.1d unkown version


Please help ASAP....many thanks friends....



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
My linux box is not communicating with my cisco router through wccp. smarwa Linux - Networking 11 04-15-2008 08:18 AM
How does squid with wccp redirection work? dablew Linux - Server 1 10-24-2007 09:37 AM
WCCP and Transparent Proxy with Squid tech-ninja Linux - Networking 4 03-29-2005 10:25 AM
Help using freebsd 5.0 + squid + wccp + cisco ios nazzymac *BSD 1 07-27-2004 03:11 PM
WCCP on Squid vwhk Linux - General 3 01-28-2002 02:39 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration